Policy Advanced Options Configuration

1. Enter the necessary information:

NAT (Network Address Translation): You can select Source Translation or Destination Translation or both simultaneously. (Source and destination translation are not mutually exclusive.)

Source Translation: To apply source network address translation (NAT-src), select Source Translation.

If you want to translate the original source IP address to an address from a Dynamic IP (DIP) pool, select a previously defined DIP pool from the DIP on drop-down list. If you want to translate the source IP address to that of the egress interface, select the first item in the drop-down list: None (Use Egress Interface IP). (For information on creating DIP pools, see Dynamic IP Address Pool Configuration.)

Destination Translation:To apply destination network address translation (NAT-dst), select DestinationTranslation.

You can translate the original destination IP address to a different IP address. To do so, select Translate to IP and enter the IP address to which you want to translate the original destination IP address. The NetScreen device can perform such one-to-one destination network address translation with or without changing the destination port numbers. To map the original destination port number in the segment header to another port number, select the Map to Port check box and enter the post-translation port number. To leave the original destination port number unaltered, do not select the Map to Port option.

You can also translate a range of original destination IP addresses to another range of IP addresses. Select the Translate to IP Range check box and enter the two IP addresses at the start and end of the post-translated IP range. ScreenOS employs an address shifting mechanism to maintain the relationships among the original range of destination addresses after translating them to the new range of addresses.

Authentication: Select this feature to require the user at the specified source address to provide authentication when the action is set to Permit or Tunnel.

Select the authentication server:

Auth Server: Select the Local database or an external authentication server to authenticate users. The default database is the one that you set on the Configuation > Auth > Firewall page. A security device supports external RADIUS, SecurID and LDAP servers. Before you can select an external authentication server from the drop-down list, you must first configure it (see Auth Server Configuration).

WebAuth: Select this option if you want to use WebAuth authentication.

Note: If you select WebAuth as the authentication method, you must also configure WebAuth interfaces. You can configure WebAuth on physical interfaces and on the VLAN1 interface (the latter when the device is in Transparent mode). For information on how to configure WebAuth interfaces, see Interface Configuration.

Select the authentication users:

User Group: Select a specific user group or select Allow Any, which allows all groups configured on the authentication server to use the policy. Before you can select a user group from the drop-down list, you must first configure it on the security device (see User Group Configuration), or on the authentication server.

User: Select a specific user, Allow Any (which allows all users configured on the authentication server to use this policy), or External User. Before you can select a user from the drop-down list, you must first configure it on the security device (see User Configuration), or on the authentication server.

External User: If you select External User from the drop-down list, you must also enter the name of the external user.

Note: You can select External User only if you are using external authentication servers such as RADIUS, SecurID, and LDAP.

Group Expression: Select a specific group expression or select Allow Any,which allows all groups configured on the authentication server to use this policy. Before you can select a group expression from the drop-down list, you must first configure it on the security device (see Group Expression Configuration).

Infranet-Auth: Select this option if you want users to sign into the Infranet Controller for authentication. Use this captive portal You can configure the Infranet Enforcer to redirect HTTP traffic to an external Web server instead of the Infranet Controller. For example, you can redirect HTTP traffic to a Web page that explains to users the requirement to sign into the Infranet Controller before they can access the protected resource. You could also include a link to the Infranet Controller on that Web page to help users sign in.

The captive portal feature redirects HTTP traffic only. If the user attempts to access a protected resource by using HTTPS or a non-browser application (such as an email application), the Infranet Enforcer does not redirect the user’s traffic. When using HTTPS or a non-browser application, the user must manually sign into the Infranet Controller first before attempting to access the protected resource.

If there is an HTTP proxy between the endpoint and the Infranet Enforcer, the Infranet Enforcer might not redirect the HTTP traffic. feature in deployments that use either source IP-based enforcement or IPSec enforcement, or a combination of both methods:

No Redirect: Select this option to disable redirection on this policy. The security device does not redirect any traffic.

Redirect unauthenticated traffic: Select this option if your deployment uses source IP only or a combination of source IP and IPSec. The security device redirects clear-text traffic from unauthenticated users to the currently-connected Infranet Controller, or to an IP address or domain name that you specify in the redirect URL field (see Configuration > Infranet Auth > Controllers > Redirect URL).

Redirect all traffic: Select this option if your deployment uses IPSec only. The security device redirects all clear-text traffic to the currently-connected Infranet Controller, or to an IP address or domain name that you specify in the redirect URL field (see Configuration > Infranet Auth > Controllers > Redirect URL).

Note: This option does not allow clear text traffic to pass through the device protecting your network from IP spoofing. The device allows the user’s encrypted traffic to pass through.

For more information on the Infranet Controller, see the Unified Access Control Administration Guide.

Counting: Select this option to have the security device count the total number of bytes for this policy and record the information historical graphs.

Alarm Threshold: Enter a number in bytes per second or a number in bytes per minute, or both. A value of 0 indicates that the alarm is disabled. You must first enable counting before you can set an alarm threshold.

Note: You can only enter integer values in the Alarm Threshold fields.

HA Session Backup: (Only on security devices that support NSRP) Select this option to enable the backing up of sessions to which this policy applies when the security device is in a high availability (HA) configuration.This option is selected by default.

Valid for Serial: (Only on security devices that support port modes) Select this option when you want the serial interface ("MODEM") to act as the dial backup interface when using the Trust-Untrust or Home-Work port modes (see Port Modes). This option is selected by default.

Schedule: Select a schedule if you want to enforce this policy during certain time periods. Selecting None means the policy is always in effect. Before you can select a schedule from the drop-down list, you must first configure it (see Schedule Configuration).

Note: Traffic shaping options only appear for policies where traffic shaping can be applied (for example, for policies where there is only one interface bound to the destination zone).

Traffic Shaping: When you enable this feature, all traffic that matches this policy is controlled and shaped according to the specification.

Note: You can only apply traffic shaping to policies whose destination zone has a single interface bound to it. Security zones that contain subinterfaces or that contain more than one physical interface do not support traffic shaping.

The traffic shaping parameters include:

Policing Bandwidth: Enter a policing bandwidth value for the policy (in kilobits per second (Kbps). Traffic beyond this threshold is dropped at the ingress side of the security device, thus conserving throughput resources.

Ingress policing enables you to constrain the flow of traffic through the security device by limiting bandwidth on the ingress side. You do this by setting policing bandwidth, the pbw keyword, in a firewall policy to a policing bandwidth value.

Guaranteed Bandwidth: Enter a guaranteed bandwidth value for the policy (in kilobits per second [kbps]).Traffic below this threshold will be passed with highest priority without being subject to any traffic management or shaping mechanism.

Maximum Bandwidth: Enter a maximum bandwidth value for the policy (in kilobits per second [kbps]). The security device throttles and drops traffic that goes beyond this threshold.

Traffic Priority: Select a traffic priority level for the policy. Traffic with higher priority will be passed first, and lower priority traffic is passed only if there is no other higher priority traffic for a certain period of time. There are eight priority levels.

DiffServCodepoint Marking: Differentiated Services (DiffServ) is a system for tagging (or "marking") traffic at a position within a hierarchy of priority. Selecting this option maps the eight ScreenOS priority levels to the DiffServ system. The highest priority (priority 0) maps to 111 in the DS byte (see RFC 2474) or TOS byte (see RFC 1349) in the IP packet header and the lowest priority (priority 8) maps to 000.

Note: We recommend that you do not use rates less than 10 kbps. Rates below this will lead to dropped packets and excessive retries that defeat the purpose of traffic management.

2. Click Return to return to the Policy Configuration screen.